JP2013109393A - Information processing device and operation check method for memory protection device - Google Patents

Abstract

PROBLEM TO BE SOLVED: To enable a check as to whether a memory protection device for detecting memory access having no access authority operates normally.SOLUTION: An information processing device includes: a memory; a system program for executing plural tasks each of which accesses the memory; a processor for executing the system program; and a memory protection device that, when a task accesses, from the processor using its authority, an area of the memory of which access authority is not provided to the task, detects the access as memory protection violation. The processor uses the authority of the task to intentionally access the area of the memory of which access authority is not provided to the task, by executing the system program, and determines whether the memory protection device has detected memory protection violation through the access.

Description

  The present invention relates to an information processing apparatus using a memory protection device that detects memory access without access authority and a method for confirming the operation of a memory management apparatus.

  Service robots must ensure functional safety by constantly monitoring the safety state with external sensors and self-diagnosis devices and executing appropriate safety control logic when any danger is detected.

  In addition to the service robots described above, IEC 61508 has been established as an international standard for functional safety for systems that operate on electrical principles such as transportation equipment. In IEC 61508, a system provided for ensuring functional safety is called a safety-related system. IEC 61508 defines various techniques for constructing a safety-related system using hardware such as a microprocessor and a PLC (Programmable Logic Controller) and a computer program (software). By using the technique defined in IEC 61508, it is possible to construct a safety-related system using a computer system.

  On the other hand, in recent years, the processing capability of programmable electronic devices such as microprocessors has improved. For this reason, a multi-task OS (Operating System) is used, and various application programs are executed in parallel on one computer system, thereby integrating multiple-use computer systems installed in service robots and automobiles. can do.

  For example, Patent Literature 1 discloses a technique for causing an application program (hereinafter referred to as a safety-related application) related to ensuring functional safety to operate on one computer system together with other application programs (hereinafter referred to as a non-safety-related application). Has been.

  When the technique defined in IEC 61508 is applied to the entire software including safety-related applications and non-safety-related applications, it is necessary to apply even to non-safety-related applications. For this reason, there is a problem that the software development cost increases.

  Therefore, in the technique disclosed in Patent Document 1, safety-related applications (safety monitoring program and safety control program) are made independent from non-safety-related applications (normal control program) by time partitioning of the system program. For this reason, the normal control program can be excluded from the safety-related system, which can contribute to the cost reduction of the safety-related system configured using the computer system.

JP 2010-271759 A

  Here, the technique disclosed in Patent Document 1 employs a technique called resource partitioning. In this technique, fixed resources such as execution memory are partitioned into partitions called resource partitions. The application is prohibited from accessing other resources beyond the pre-assigned resource partition.

  The applicant of the present application has found the problems described below when examining the above-described resource partitioning using an MMU (Memory Management Unit) or an MPU (Memory Protection Unit). The problem will be described below. In addition, the content demonstrated below is the content which the present applicant newly examined, and is not what demonstrated the prior art.

  In an operating system that employs time partitioning, as illustrated in FIG. 17, the operating application can be switched by switching the time partition. In FIG. 17, “TP1”, “TP2”, and “TP3” indicate time partitions, and “T1”, “T2”, and “T3” indicate tasks belonging to TP1 to TP3, respectively. It is assumed that the task is generated by executing a non-safety related application or a safety related application.

In such a case, the following four patterns can be considered as combinations of application switching.
1) Non-safety related applications to safety related applications 2) Safety related applications to safety related applications 3) Safety related applications to non-safety related applications 4) Non-safety related applications to non-safety related applications

  In FIG. 17, it is assumed that T1 belonging to TP1 is generated by a non-safety related application, and T2 belonging to TP2 is generated by a safety related application. In this case, for functional safety, T1 belonging to TP1, which is a non-safety related system, needs to prevent access to the resource partition of TP2, which is a safety related system.

  On the other hand, if the memory protection function of the MMU or MPU is used, resource partitioning can be performed by granting access authority to the resource partition corresponding to the time partition to each time partition. . Specifically, as shown in FIG. 18, T1 belonging to TP1 is given access authority to access only the memory area allocated to the resource partition of TP1, and T2 belonging to TP2 is assigned to TP2 Grant access authority to access only the memory area allocated to the resource partition. In this way, for example, when T1 accesses an area of memory allocated to the resource partition of T2, the access can be detected as a memory protection violation by the MMU or MPU. . This makes it possible to prevent a task belonging to a certain time partition from accessing a resource partition assigned to another time partition.

  However, there is a problem that if the MMU or MPU is out of order, the memory cannot be properly protected. For example, if the memory protection function does not work properly due to a failure, access authority is granted to tasks that were not originally granted access authority, and access that should be considered a memory protection violation There is a problem that it may become impossible to detect as a memory protection violation. That is, even when T1 is erroneously accessed and an area of the memory to which T1 is not originally granted access authority is accessed, there is a possibility that a memory protection violation is not detected and access is permitted.

  Therefore, in order to further improve the reliability of the system, it is necessary to detect such an abnormality of the MMU or MPU and prevent the system from continuing operation while the MMU or MPU is in an abnormal state. is there. For this purpose, a mechanism for confirming that the MMU or MPU is operating normally is necessary. However, there is no technique for confirming that the MMU or MPU is operating normally.

  Here, the MMU and the MPU are common in that they have a memory protection function for detecting a memory access without access authority. On the other hand, generally, the MMU and the MPU are different in that only the MMU of the MMU and the MPU has a virtual storage management function for converting a virtual address into a physical address.

  The present invention has been made based on the above-described knowledge, and an information processing apparatus capable of confirming whether or not a memory protection device that detects memory access without access authority is operating normally, and An object of the present invention is to provide a method for checking the operation of a memory protection device.

  An information processing apparatus according to a first aspect of the present invention includes a memory, a system program that executes a plurality of tasks each accessing the memory, a processor that executes the system program, and the processor that is authorized by the task A memory protection device that detects the access as a memory protection violation when the access to the memory from the access is an access to an area for which the access authority is not granted to the task, and the processor includes the system By executing a program, the memory area where the access authority is not granted to the task is intentionally accessed by the task authority, and the memory protection device detects the memory protection violation by the access. Whether or not.

  The operation check method of the memory protection device according to the second aspect of the present invention is such that access to the memory by the authority of the task from a processor executing a system program that executes a plurality of tasks each accessing the memory is A method for confirming the operation of a memory protection device that detects an access as a memory protection violation when the access is not made to an area to which a task has no access authority. Deliberately accessing an area of the memory to which no access right is granted, and determining whether or not the memory protection device has detected the memory protection violation by the access by the processor; It is equipped with.

  According to each aspect of the present invention described above, the operation check of the information processing apparatus and the memory management apparatus that can confirm whether or not the memory protection device that detects a memory access without access authority is operating normally. A method can be provided.

It is a block diagram which shows the structural example of the safety control apparatus concerning Embodiment 1 of invention. It is a figure for demonstrating the concept of the time partitioning in Embodiment 1 of invention. It is a conceptual diagram for demonstrating the concept of the resource partitioning in Embodiment 1 of invention. It is a figure which shows the relationship between the partition scheduler and task in Embodiment 1 of invention. It is a figure which shows the specific example of a scheduling pattern. It is a figure which shows the specific example of a scheduling pattern. It is a flowchart which shows the specific example of the process sequence of the partition scheduler concerning Embodiment 1 of invention. It is a flowchart which shows the specific example of the process sequence of the MMU confirmation routine concerning Embodiment 1 of invention. It is a figure which shows an example of the execution timing of a MMU confirmation routine. It is a figure which shows the relationship between the partition scheduler and task in Embodiment 2 of invention. It is a flowchart which shows the specific example of the process sequence of the partition scheduler concerning Embodiment 2 of invention. It is a block diagram which shows the structural example of the safety control apparatus concerning Embodiment 3 of invention. It is a figure which shows the relationship between the partition scheduler and task in Embodiment 3 of invention. It is a figure which shows the specific example of a scheduling pattern. It is a figure which shows the specific example of a scheduling pattern. It is a figure which shows the relationship between the partition scheduler and task in Embodiment 4 of invention. It is a figure which shows the relationship between the partition scheduler concerning other embodiment, and a task. It is a figure which shows the relationship between the partition scheduler concerning other embodiment, and a task. It is a figure for demonstrating a subject. It is a figure for demonstrating a subject.

  Hereinafter, specific embodiments to which the present invention is applied will be described in detail with reference to the drawings. In the drawings, the same elements are denoted by the same reference numerals, and redundant description is omitted as necessary for the sake of clarity.

<Embodiment 1 of the Invention>
The safety control device 1 according to the present embodiment is mounted on a service robot, a transportation device, or the like, and executes safety control for ensuring functional safety. The safety control device 1 is configured to execute a safety-related application and a non-safety-related application on the same computer system. FIG. 1 is a block diagram illustrating a configuration example of the safety control device 1 according to the present embodiment.

  The processor 10 performs calculation processing according to acquisition of a program (instruction stream), instruction decoding, and instruction decoding result. Although only one processor 10 is shown in FIG. 1, the safety control device 1 may have a multiprocessor configuration having a plurality of processors 10. The processor 10 may be a multi-core processor. The processor 10 provides a multiprogramming environment by executing an operating system (OS) 100 as a system program. A multi-programming environment is an environment in which multiple programs are executed in parallel by periodically switching and executing multiple programs, or by switching the programs to be executed in response to the occurrence of a certain event. means.

  Multiprogramming is sometimes called multiprocess, multithread, multitask, and the like. A process, a thread, and a task mean a program unit that is executed in parallel in a multiprogramming environment. The multi-programming environment included in the processor 10 of the present embodiment may be a multi-process environment or a multi-thread environment.

  The execution memory 11 is a memory used for program execution by the processor 10. The execution memory 11 stores programs (such as the OS 100 and applications 101 to 103) loaded from the nonvolatile memory 13, input / output data of the processor 10, and the like. The processor 10 may directly execute these programs from the nonvolatile memory 13 without loading the programs from the nonvolatile memory 13 to the execution memory 11.

  Specifically, the execution memory 11 may be a random accessible volatile memory such as SRAM (Static Random Access Memory) or DRAM (Dynamic Random Access Memory). The execution memory 11 in FIG. 1 represents a logical unit. That is, the execution memory 11 may be, for example, a combination of a plurality of SRAM devices, a combination of a plurality of DRAM devices, or a combination of an SRAM device and a DRAM device.

  The I / O port 12 is used for data transmission / reception with an external device. For example, when the safety control device 1 is mounted on a service robot, the external device is various sensors and actuators that operate the service robot. In this case, the various sensors include, for example, a visual sensor capable of measuring obstacles around the service robot, a posture sensor for detecting the posture of the service robot, and a rotation center for detecting the state of the actuator of the service robot. It includes a sensor that detects the internal and external status of the service robot.

  The non-volatile memory 13 is a memory device capable of maintaining stored contents more stably than the execution memory 11 without receiving power supply. For example, the nonvolatile memory 13 is a ROM (Read Only Memory), a flash memory, a hard disk drive or an optical disk drive, or a combination thereof. The nonvolatile memory 13 stores the OS 100 and the applications 101 to 103. Note that at least a part of the nonvolatile memory 13 may be configured to be removable from the safety control device 1. For example, the memory storing the applications 101 to 103 may be removable. Further, at least a part of the nonvolatile memory 13 may be disposed outside the safety control device 1.

  The OS 100 is executed by the processor 10 to use task resources including task scheduling, interrupt management, time management, resource management using hardware resources such as the processor 10, the execution memory 11, and the nonvolatile memory 13. Provides inter-task synchronization and inter-task communication mechanism.

  Further, in order to increase the independence of the safety monitoring application 101 and the safety control application 103 related to ensuring functional safety from the normal control application 102, the OS 100 has a function of protecting hardware resources temporally and spatially. . Here, the hardware resources include the processor 10, the execution memory 11, and the I / O port 12.

  Of these, temporal protection is performed by partitioning a temporal resource called the execution time of the processor 10. Specifically, temporal protection is performed by partitioning the execution time of the processor 10 and assigning a task (process or thread) to each partition (referred to as a time partition). The scheduling function (partition scheduler 21) of the OS 100 guarantees the use of resources including the execution time of the processor 10 for tasks assigned to each time partition (hereinafter sometimes referred to as TP).

  FIG. 2 is a conceptual diagram related to time partitioning. In the example of FIG. 2, an example in which a predetermined cycle time is divided into three TP1, TP2, and TP3 is shown. For example, when one cycle time is 100 Tick, the first 20 Tick is defined as TP1, the middle 30 Tick is defined as TP2, and the second 50 Tick is defined as TP3.

  In the example of FIG. 2, the first application (APL1) to the fourth application (APL4) are assigned to any one of TP1 to TP3. The scheduling function (partition scheduler 21) of the OS 100 selects / determines which of TP1 to TP3 is activated as time elapses. Then, the application assigned to the active TP is executed by the processor 10.

  On the other hand, spatial protection is performed by partitioning fixed resources including the execution memory 11 and the I / O port 12 and assigning tasks to each partition (referred to as a resource partition). The scheduling function (partition scheduler 21) of the OS 100 prohibits a task from accessing other resources beyond a pre-assigned resource partition (hereinafter sometimes referred to as RP).

  FIG. 3 is a conceptual diagram related to resource partitioning. In the example of FIG. 3, two RPs (RP1 and RP2) are shown. A part of the execution memory 11 and the nonvolatile memory 13 (A area) and a part of the I / O port 12 (port A) are allocated to RP1. Further, another part (B area) of the execution memory 11 and the nonvolatile memory 13 and another part (port B) of the I / O port 12 are allocated to RP2. Access from RP1 to the resource assigned to RP2 is prohibited, and access from RP2 to the resource assigned to RP1 is prohibited. Resource partitioning in the execution memory 11 is realized by using the memory protection function of the MMU described later.

  Note that not all resources need to be exclusively assigned to any RP. That is, there may be a resource shared by a plurality of RPs. For example, when performing safety control of a service robot, the actuator needs to be accessible from both the normal control application 102 and the safety control application 103. Therefore, the I / O port for controlling the actuator may be shared by the RP to which the normal control application 102 belongs and the RP to which the safety control application 103 belongs.

  Returning to FIG. The applications 101 to 103 are executed in a multiprogramming environment provided by the OS 100 and the processor 10. Among these, the safety monitoring application 101 executes the processor 10 to monitor the execution status of the normal control application 102, monitor the execution status of the safety control application 103, and monitor input / output data to the I / O port 12. Instruction code to make it Further, the safety monitoring application 101 includes an instruction code for causing the processor 10 to execute a result notification to the partition scheduler 21. That is, the safety monitoring application 101 is a safety related application.

  Further, the normal control application 102 includes an instruction code for causing the processor 10 to execute a control procedure for causing a control target such as a service robot to perform a normal function / operation. Further, the normal control application 102 includes an instruction code for causing the processor 10 to execute a result notification to the partition scheduler 21. That is, the normal control application 102 is a non-safety related application.

  Further, the safety control application 103 includes an instruction code for causing the processor 10 to execute a control procedure determined to ensure functional safety in response to a case where some abnormality is detected. Further, the safety control application 103 includes an instruction code for causing the processor 10 to execute a result notification to the partition scheduler 21. That is, the safety control application 103 is a safety-related application.

  The MMU 14 has a memory protection function and a virtual memory management function. The memory protection function is a function that monitors accesses from the processor 10 to the execution memory 11 and detects an access that causes a memory protection violation. When an access is made to an address in the execution memory 11 from the processor 10, it is determined whether or not the access has an access right to the address. If the access does not have access authority for the address, the access is detected as a memory protection violation and the processor 10 is notified of the memory protection violation. In this case, the MMU 14 may inhibit access to the execution memory 11.

  The MMU 14 realizes resource partitioning in the execution memory 11 by this memory protection function. Specifically, in the case illustrated in FIG. 3, the task belonging to RP1 is given an access authority to access only the area of the execution memory 11 assigned to RP1, and the task belonging to RP2 is assigned to Access authority is granted to access only the area of the execution memory 11 assigned to RP2. Thus, for example, when a task belonging to RP1 accesses an area of the execution memory 11 assigned to RP2, the MMU 14 detects the access as a memory protection violation. The access authority is given to each page of the execution memory 11. Further, an arbitrary size can be determined in advance as the size of one page.

  The virtual memory management function is a function for converting a virtual address designated when the processor 10 accesses the execution memory 11 into a physical address corresponding to the virtual address. That is, the MMU 14 accesses the execution memory 11 designated by the virtual address from the processor 10 by the virtual memory management function, and gives a physical address indicating the same address as the address on the execution memory 11 indicated by the virtual address. The access is converted to access to the designated execution memory 11 and issued to the execution memory 11.

  Here, the physical address corresponding to the access authority and the virtual address is set by the processor 10 in a TLB (Translation Look-aside Buffer) (not shown) of the MMU 14. The TLB is stored in a storage device (not shown) such as a register and a memory included in the MMU 14, for example. The TLB includes a plurality of entries. The contents for one page are set in one entry. In one entry, an ASID (Address Space Identification), a virtual address, a physical address corresponding to the virtual address, an access authority to a page, and the like are set.

  The ASID takes a value uniquely determined for each RP. In the present embodiment, since one RP corresponds to one TP, the ASID is also a value uniquely determined for each TP. As a virtual address in the TLB, a virtual page number indicating a certain range in which a page can be specified is generally set in the virtual address. The same applies to the physical address. In this case, the virtual address is converted into a physical address by replacing the range corresponding to the virtual page number with the physical page number and using the other offset address range as it is. Can do. As the access authority, data read authority, data write authority, and data (command) execution authority can be set. That is, the access authority can be set for each access type (read, write, or execution).

  For example, when reading and writing of data from a task belonging to a certain TP is permitted for a certain page on the execution memory 11, the entry includes an ASID corresponding to the TP, a virtual address of the page, and a physical of the page. Address, access authority with read authority and write authority, etc. are set.

  When the processor 10 accesses a certain address in a page on the execution memory 11 by reading or writing data, the processor 10 performs access specifying the ASID, virtual address, and access type (reading or writing). To issue. That is, a signal indicating each of the ASID, virtual address, and access type is output to the MMU 14. A value corresponding to the task that issued the access is specified for the ASID. That is, by referring to the designated ASID, it is possible to specify which TP belongs to the task with the authority of the task. In the present embodiment, the same ASID is designated for access from tasks belonging to the same TP. If the access type is write, data to be written to the execution memory 11 is also specified.

  The MMU 14 refers to the TLB, the designated ASID is set, the virtual address corresponding to the designated virtual address is set (the virtual page number matches), and the designated access type If an entry that is set to have the right is detected, access is permitted. In this case, the MMU 14 converts the virtual address specified in the access into a physical address based on the detected entry, and issues an access specifying the converted physical address and the access type to the execution memory 11. That is, signals indicating the physical address and the access type are output to the execution memory 11. If the access type is write, data to be written to the execution memory 11 is also specified.

  Further, the processor 10 issues an access specifying an ASID and a virtual address to the MMU 14 when accessing a certain address in a certain page on the execution memory 11 by executing data (instruction). The MMU 14 performs address conversion and access authority check in the same manner as described above. When the access is permitted, the MMU 14 issues an access specifying the converted physical address to the execution memory 11.

  In response to an access from the MMU 14, the execution memory 11 processes data according to the access. Specifically, the execution memory 11 outputs data of a specified physical address to the processor 10 when the access is performed by reading or writing and the access type is reading. The execution memory 11 writes the specified data to the specified physical address when the access is performed by reading or writing and the access type is writing. The execution memory 11 outputs the data of the designated physical address to the processor 10 when the access is performed by executing the data (instruction).

  On the other hand, the MMU 14 refers to the TLB, and a virtual address corresponding to the virtual address specified by access is set (virtual page number matches), but the authority of the specified ASID and the specified access type If is not set, a memory protection violation is detected. Note that when a virtual address corresponding to the virtual address designated by the access is not set, a page fault is detected.

  Further, the MMU 14 can switch the validity / invalidity according to an instruction from the processor 10. That is, when the processor 10 outputs an instruction to enable the MMU 14 to the MMU 14, the MMU 14 enables the memory management function and the virtual storage management function described above according to the instruction. As a result, the above-described memory protection violation and address conversion are performed. On the other hand, when the processor 10 outputs an instruction to invalidate the MMU 14 to the MMU 14, the MMU 14 invalidates the memory management function and the virtual management function described above according to the instruction. As a result, the above-described memory protection violation detection and address conversion are not performed. When the MMU 14 is invalidated, the processor 10 can access the execution memory 11 by issuing an access designating a physical address directly. In this case, the MMU 14 issues an access designating the physical address designated by the access as it is to the execution memory 11.

  Although FIG. 1 illustrates the case where the MMU 14 is provided outside the processor 10, the processor 10 may include the MMU 14.

  The reset circuit 15 resets the microcontroller 20 based on a signal from the OS 100. A transmission signal is periodically transmitted from the partition scheduler 21 to the reset circuit 15, and the reset circuit 15 resets the microcontroller 20 when the transmission signal from the partition scheduler 21 is interrupted. For example, as will be described later, the partition scheduler 21 transmits a transmission signal at a timing that operates every 1 tick. Further, when an abnormality is detected by the OS 100 or when a result notification indicating an abnormality is received from any of the applications 101 to 103, the partition scheduler 21 transmits a reset signal to the reset circuit 15 and responds accordingly. Thus, the reset circuit 15 may reset the microcontroller 20. By doing in this way, when a malfunction occurs in the microcontroller 20, the microcontroller 20 can be reset and recovered.

  Subsequently, the relationship between the partition scheduler 21 and the tasks generated by the activation of the applications 101 to 103 will be described with reference to FIG. FIG. 4 is a diagram showing the relationship between the partition scheduler 21 and the tasks 24, 26, and 28 that are activated in the multiprogramming environment provided by the OS 100.

  The microcontroller 20 includes a processor 10, an execution memory 11, an I / O port 12, a nonvolatile memory 13, and the like. 4 illustrates a configuration in which the reset circuit 15 is provided outside the microcontroller 20, but a configuration in which the reset circuit 15 is included in the microcontroller 20 may be employed.

  The microcontroller 20 is supplied with a clock signal from an external clock source, and the processor 10 and the like operate at a predetermined timer cycle based on this clock signal. In the present embodiment, the predetermined timer cycle is described as 1 Tick. For this reason, when the processor 10 executes the OS 100, the partition scheduler 21 operates every 1 Tick, and at each TP, the task schedulers 23, 25, 27 and tasks (safety monitoring task 24, normal control task 26, safety The control task 28) operates every 1 Tick.

  The partition scheduler 21 operates every 1 tick and performs TP switching (partition scheduling). The partition scheduler 21 selects and determines which of TP1 to TP3 is activated during the next 1 Tick. Furthermore, the partition scheduler 21 starts the operation of the task scheduler related to the selected TP.

  More specifically, partition scheduling by the partition scheduler 21 refers to the scheduling table 22 and performs partition scheduling according to a scheduling pattern that defines TP settings.

  The scheduling table 22 holds a scheduling pattern that defines the TP switching order and timing. For example, the scheduling table 22 is stored in advance in the execution memory 11. The scheduling table 22 holds at least two different scheduling patterns. One is a scheduling pattern that is applied when abnormality detection by the safety monitoring task 24 is not performed (that is, during normal time). The other is a scheduling pattern applied when an abnormality is detected by the safety monitoring task 24. Hereinafter, the scheduling pattern applied in the normal time is referred to as “normal control scheduling pattern”. A scheduling pattern applied at the time of detecting an abnormality is called a “safe control scheduling pattern”.

  FIG. 5A shows a specific example of the normal control scheduling pattern. In FIG. 5A, TP2 to which the normal control task 26 belongs is assigned to the first half (T1) of one cycle time. In addition, TP1 to which the safety monitoring task 24 belongs is assigned to the second half (T2) of one cycle time. According to the scheduling pattern of FIG. 5A, the normal control task 26 and the safety monitoring task 24 are repeatedly scheduled.

  FIG. 5B shows a specific example of the safety control scheduling pattern. In FIG. 5B, TP3 to which the safety control task 28 belongs is assigned to the first half (T3) of one cycle time. In addition, TP1 to which the safety monitoring task 24 belongs is assigned to the second half (T4) of one cycle time. According to the scheduling pattern of FIG. 5B, the safety control task 28 and the safety monitoring task 24 are repeatedly scheduled.

  Returning to FIG. The task schedulers 23, 25, and 27 perform task scheduling in the TP to which each belongs. For scheduling tasks in each TP, general priority-based scheduling may be applied. In FIG. 4, each TP is illustrated as including only one task, but one or more tasks may be included. For example, the normal control task A and the normal control task B may be included in the normal control TP2.

  The safety monitoring task 24 is a task generated when the safety monitoring application 101 is activated. In the example of FIG. 4, the safety monitoring task 24 is assigned to TP1 and RP1. The safety monitoring task 24 monitors the execution status of the normal control task 26 that is a non-safety related application, monitors the execution status of the safety control task 28 that is a safety related application, and monitors input / output data of the I / O port 12. To do. The safety monitoring task 24 performs calculations necessary for executing its own processing while using the resources of the execution memory 11 assigned to the RP1 to which the safety monitoring task 24 belongs. Furthermore, the safety monitoring task 24 notifies the partition scheduler 21 of the task execution status.

  The normal control task 26 is a task generated when the normal control application 102 is activated. In the example of FIG. 4, the normal control task 26 is assigned to TP2 and RP2. The normal control task 26 performs control for causing a control target such as a service robot to perform a normal function / operation. The normal control task 26 performs calculations necessary for executing its own processing while using the resources of the execution memory 11 assigned to the RP 2 to which the normal control task 26 belongs. Further, the normal control task 26 notifies the partition scheduler 21 of the task execution status.

  The safety control task 28 is a task generated when the safety control application 103 is activated. In the example of FIG. 4, the safety control task 28 is assigned to TP3 and RP3. The safety control task 28 performs control determined to ensure functional safety in response to any abnormality being detected. The safety control task 28 performs calculations necessary for executing its own processing while using the resources of the execution memory 11 assigned to the RP 3 to which the safety control task 28 belongs. Further, the safety control task 28 notifies the partition scheduler 21 of the task execution status.

  Various methods can be adopted as a specific configuration for notifying the result from each task to the partition scheduler 21. For example, a task can call a system call (service call) of the OS 100 and notify the partition scheduler 21 of the result via the OS 100. Specifically, for example, a system call for performing communication between tasks is called. Also, for example, assuming that a flag related to the task execution status is stored in the execution memory 11, the task sets a flag value according to the execution status, and the partition scheduler 21 executes the task according to the flag set value. The situation can also be judged.

  The OS 100 includes an MMU confirmation routine 29. The MMU confirmation routine 29 is a routine for confirming whether or not the MMU 14 is operating normally. Specifically, the MMU confirmation routine 29 intentionally accesses a memory area with the authority of a task to which no access authority is granted. Whether or not the MMU 14 is operating normally is determined based on whether or not the MMU 14 has detected a memory protection violation by the access. That is, when the MMU 14 detects a memory protection violation by such an access, the memory protection function is operating normally, and it is confirmed that the MMU 14 is operating normally. Note that the access at this time is performed without setting the write authority and the read authority by the task to be inspected with respect to the inspection target page.

  As described above, the partition scheduler 21 operates every 1 Tick, and selects and determines which of TP1 to TP3 is activated. Further, the partition scheduler 21 starts the operation of the task scheduler related to the selected TP. Then, task scheduling is performed by the task schedulers 23, 25, and 27 starting operations, and the processor 10 executes the tasks in the TP according to the order scheduled by the task schedulers 23, 25, and 27. Go. As a result, the application assigned to the active TP is executed by the processor 10.

  Next, partition scheduling by the partition scheduler 21 will be described below with reference to FIG. FIG. 6 is a flowchart showing a specific example of the processing procedure of the partition scheduler 21 according to the first embodiment of the invention.

  Note that FIG. 6 illustrates an example in which scheduling is performed according to a normal control scheduling pattern (for example, FIG. 5A) or a safety control scheduling pattern (for example, FIG. 5B). That is, when the next TP following TP2 or TP3 is TP1, and when an abnormality in TP2 is detected in TP1, the next TP selected and determined based on the result from TP1 is TP3 Will be described as an example.

  The OS 100 starts the partition scheduler 21 every time one tick elapses (S11) (S12). The partition scheduler 21 refers to the scheduling pattern and determines whether or not it is TP switching timing (S13).

  If it is determined that it is not the TP switching timing (No in S13), the partition scheduler 21 continues the operation for the same TPX. For this reason, the processes of S11 to S13, S15, and S16 are repeated until the TP switching timing is reached. Here, the variable X indicates the number of TP, and X is any one of 1 to 3. That is, when partition scheduling is performed according to the normal control scheduling pattern, either TP2 or TP1 except for TP3 for safety control is operated.

  On the other hand, when it is determined that it is TP switching timing (Yes in S13), the partition scheduler 21 executes TP switching (S14). As described above, when the partition scheduler 21 changes the TP to be activated next (Yes in S13), the partition TP before switching is normal according to the notification result from the task belonging to the TP before switching. It is determined whether or not. If the TP before switching is abnormal as a result of the determination, the partition scheduler 21 selects and determines the TPX to be activated during the next 1 Tick from either TP1 or TP3 according to the safety control scheduling pattern. As a result of the determination, if it is normal, the partition scheduler 21 selects and determines one of TP1 and TP2 in accordance with the normal control scheduling pattern for TPX to be activated during the next 1 Tick.

  The partition scheduler 21 operates the task scheduler of the currently active TPX (S15). The task scheduler of TPX that started the operation in S15 executes the task in TPX according to the priority (S16).

  When 1 Tick elapses (S11), the partition scheduler 21 starts TP scheduling again (S12). That is, the partition scheduler 21 selects and determines which TP is to be activated during the next 1 Tick according to the scheduling pattern.

  A specific example of partition scheduling will be described with respect to the processing shown in FIG. First, according to the normal control scheduling pattern illustrated in FIG. 5A, the case where scheduling is started from the active state of TP2 in S15 will be described. In this case, TPX = TP2 is started in S15, and TPX = TP2 remains even in subsequent S16 and S11 to S13. And as long as No continues in S13, the state of TPX = TP2 is maintained. If S13 is Yes and TP2 is changed to TP1 in S14, TP1 remains in S15 to S16 and S11 to S13. As long as No continues in S13, the state of TPX = TP1 is maintained. When it is determined in S16 that the execution status (data input / output, etc.) related to TP2 is normal when TP1 is active, TPX = TP2 in the next S14 (that is, start from TP2). Normal control scheduling pattern continues.) On the other hand, if it is determined in S16 that the execution status (data input / output, etc.) relating to TP2 is abnormal, TPX = TP3 (that is, a safety control scheduling pattern starting from TP3) in the next S14. Switch to.)

  Further, a case will be described in which scheduling is started from the active state of TP3 in S15 according to the safety control scheduling pattern illustrated in FIG. 5B. In this case, TPX = TP3 is started in S15, and TPX = TP3 remains even in subsequent S16 and S11 to S13. And as long as No continues in S13, the state of TPX = TP3 is maintained. If the answer is Yes in S13 and the TP3 is changed to TP1 in S14, TP1 remains as it is in subsequent S15 to S16 and S11 to S13. As long as No continues in S13, the state of TPX = TP1 is maintained. When it is determined in S16 that the execution status (data input / output, etc.) relating to TP3 is normal when TP1 is active, TPX = TP2 is set in the next S14 (that is, starting from TP2). Switch to normal control scheduling pattern.) On the other hand, if it is determined in S16 that there is an abnormality in the execution status (data input / output, etc.) related to TP3, TPX = TP3 (that is, a safety control scheduling pattern starting from TP3) in the next S14. Will continue.)

  In the above-described example, a case where only three TPs (safety monitoring TP1, normal control TP2 and safety control TP3) are combined as a scheduling pattern has been described as an example. There may be a plurality of control partitions and safety control partitions such as TP3. For example, there are two TP2 and TP4 for normal control, TP1 for safety monitoring, and two TP3 and TP5 for safety control, and these five TPs (TP1 to TP5) are combined to form a scheduling pattern. It may be configured. In this case, in S14, the partition scheduler 21 determines the type of the abnormal state of the execution status (data input / output, etc.) related to TPX, and selects either TP3 or TP5 for safety control according to the abnormal type. That's fine. In S14, either TP2 or TP4 for normal control may be selected.

  As described above, in this embodiment, the OS 100 includes the partition scheduler 21 that selects and determines the partition to be activated next in response to a notification from the TP1 for safety monitoring or a notification from each TP. ing. The partition scheduler 21 operates at a predetermined timer period independently of the tasks executed in each TP.

  With the configuration in which the partition scheduler 21 that operates independently receives the result notification from all TPs, the partition scheduler 21 can centrally grasp the situation regarding all TPs. Therefore, for example, when the partition scheduler 21 decides and selects the next partition in response to the result notification from the safety monitoring TP1, the partition scheduler 21 considers the situation of each TP. The next partition can be determined and selected only from the TP in the normal state. According to this, there is an effect that more accurate partition scheduling can be realized.

  Next, the MMU confirmation process by the MMU confirmation routine 29 will be described with reference to FIG. FIG. 7 is a flowchart showing a specific example of the processing procedure of the MMU confirmation routine 29 according to the first embodiment of the invention. When the OS 100 executes the MMU confirmation routine 29, the processing procedure described below is executed. Strictly speaking, the processing described below is executed by the processor 10 that executes the OS 100.

  The OS 100 backs up data stored in the TBL entry to be inspected (S21). Here, the backed up data may be stored in the execution memory 11 or may be stored in the nonvolatile memory 13.

  The OS 100 sets contents regarding the inspection target page in the inspection target entry. Specifically, access to the entry to be inspected without the ASID of the task to be inspected, the virtual address of the page to be inspected, the physical address of the page to be inspected, and the read, write, and execution rights Authority and the like are set (S22). The access authority to be set is not limited to the pattern exemplified here. That is, only the access type to be inspected may be set without authority. For example, in the case of checking whether or not an access protection violation is normally detected for the read authority, at least the read authority may be set to none.

  The OS 100 accesses (reads, writes, or executes) the boundary of the inspection target page (S23). Specifically, the OS 100 accesses each of the beginning and the end. Here, it is assumed that the beginning and the end of the page are accessed within a predetermined fixed length range such as 4 words.

  The OS 100 restores the data backed up in S11 to the entry to be inspected (S24). Then, the OS 100 determines whether or not a memory protection violation has been detected in the access in S13 (S25). That is, the OS 100 determines whether or not a memory protection violation is notified from the MMU 14.

  When a memory protection violation is detected (Yes in S25), the OS 100 determines that the MMU 14 is operating normally (S26). In this case, the OS 100 continues execution of normal processing (partition scheduler 21, task scheduler 23, 25, 27, execution of tasks 24, 26, 28, etc.) (S27). On the other hand, when no memory protection violation is detected (No in S25), the OS 100 determines that the MMU 14 is not operating normally (S28). In this case, the OS 100 executes an emergency stop routine.

  Here, the emergency stop routine is a process for stopping the control target in an emergency in order to ensure the safety of the control target. For example, when operating according to the normal control scheduling pattern shown in FIG. 5A, the scheduling pattern may be switched to the safety control scheduling pattern shown in FIG. 5B. Further, TP may be forcibly switched to TP3 at the next operation timing of partition scheduler 21. Then, after switching to TP3, for example, the control target is stopped by the safety control task 28. Further, the OS 100 may be controlled to directly stop the control target.

  The processing of the MMU confirmation routine 29 described above may be executed at an arbitrary timing when control is transferred to the OS 100. For example, as shown in FIG. 8, when execution of all tasks belonging to the TP is completed and control is transferred to the OS 100, processing may be executed for the remaining TP time. . By doing in this way, the surplus time in TP can be used effectively.

  Note that any combination of pages, tasks, and entries to be inspected in the MMU confirmation routine 29 may be combined in any order. For example, the pages to be inspected are all pages in the execution memory 11 in the order from the top, and the tasks to be inspected are inspected in the predetermined order for all the tasks 24, 26, and 28. The entries may be checked by combining all the entries in the TLB in order from the top to check the operation of the MMU 14 for all the combinations. Further, as shown in FIG. 8, when the operation of the MMU 14 is checked in the remaining time of the TP2, the operation of the MMU 14 may be checked with a task belonging to the next active TP1 as an inspection target.

  In the processing procedure of the MMU confirmation routine 29 described above, the top and the bottom of the page are accessed, but the present invention is not limited to this. For example, you may make it access either one of the head and the tail. Moreover, you may make it access the whole page. Further, an arbitrary position other than the top and the end of the page may be accessed. However, preferably, as described above, the boundary value analysis is performed by targeting the head and tail of the page, so that it is expected that the accuracy of detecting an abnormality in the MMU 14 is improved.

  As described above, in the first embodiment, the area of the execution memory 11 to which the access authority is not given to the task is intentionally accessed with the authority of the task to be inspected. Yes. Then, it is determined whether or not the MMU 14 has detected a memory protection violation by the access. According to this, when a memory protection violation is detected, it can be confirmed that the memory protection by the MMU 14 is normally performed. That is, it can be confirmed that the MMU 14 is operating normally.

<Embodiment 2 of the Invention>
Then, the safety control apparatus concerning Embodiment 2 of this invention is demonstrated. Since the configuration of the safety control device according to the second embodiment is the same as the configuration of the safety control device according to the first embodiment described with reference to FIG. 1, the description thereof is omitted. Below, the relationship between the partition scheduler 30 and the tasks generated by the activation of the applications 101 to 103 will be described with reference to FIG. FIG. 9 is a diagram showing the relationship between the partition scheduler 30 and the tasks 24, 26, and 28 according to the second embodiment. Hereinafter, the description of the same contents as those in Embodiment 1 will be omitted as appropriate.

  As shown in FIG. 9, the second embodiment is different from the first embodiment in that a partition scheduler 30 is provided instead of the partition scheduler 21 and an MMU confirmation routine 29 is included in the partition scheduler 30. . That is, the partition scheduler 30 according to the second embodiment is different from the partition scheduler 21 according to the first embodiment in that an MMU confirmation routine 29 is executed.

  Next, partition scheduling by the partition scheduler 30 will be described with reference to FIG. FIG. 10 is a flowchart showing a specific example of the processing procedure of the partition scheduler 30 according to the second embodiment of the invention. In addition, about the process procedure similar to the process procedure concerning Embodiment 1 demonstrated with reference to FIG. 6, the same code | symbol is attached | subjected and description is abbreviate | omitted. The processing procedure according to the second embodiment is different from the processing procedure according to the first embodiment in that S17 is executed when Yes in S13, and then S14 is executed.

  When it is determined that it is the TP switching timing (Yes in S13), the partition scheduler 30 executes the MMU confirmation routine 29 for the page used in the switching destination TP (S17). Then, the partition scheduler 30 executes TP switching after executing the MMU confirmation routine 29 (S14).

  The processing procedure in the MMU confirmation routine 29 is the same as the processing described with reference to FIG. 7 in the first embodiment except that it is executed by the partition scheduler 30 of the OS 100, and thus the description thereof is omitted. Here, in the second embodiment, as described above, the MMU confirmation routine 29 is executed for the page used in the switching destination TP. That is, the partition scheduler 30 inspects a page adjacent to a page used in the switching destination TP that is highly likely to be affected by an access to the page used in the switching destination TP. The reason is that the task is likely to access the adjacent page by mistake, assuming that there is a high possibility in the case where the task malfunctions and accesses the memory protection violation. Therefore, the partition scheduler 30 has the authority (ASID) of the task belonging to the switching destination TP, the access authority for the task belonging to the page used by the task belonging to the switching destination TP and belonging to the switching destination TP. The MMU confirmation routine 29 is executed for the pages to which no is assigned.

  Specifically, the partition scheduler 30 refers to the TLB of the MMU 14 and searches for an entry in which an ASID corresponding to the switching destination TP is set. The page set in the entry detected by this search becomes the page used in the switching destination TP. Furthermore, the partition scheduler 30 is set for a page adjacent to the page of the detected entry based on the virtual address or physical address set in the detected entry, and the ASID corresponding to the switching destination TP. Find entries that are not. Then, the partition scheduler 30 recognizes the page set in the entry detected by this search as the page to be inspected. Therefore, the page to be inspected does not have the access authority with the authority (ASID) of the task belonging to the switching destination TP even if the setting of the TLB entry is not changed. Therefore, the partition scheduler 30 may execute the MMU confirmation routine 29 without executing the entry backup at S21, the entry setting at S22, and the entry restoration at S24. For the reasons described above, in step S23, only the side adjacent to the page used in the task belonging to the switching destination TP may be accessed from the beginning and end of the page to be inspected.

  As described above, in the second embodiment, when the TP is switched, the operation of the MMU 14 is checked with respect to the page of the execution memory 11 accessed by the task executed by the switching destination TP. . According to this, it can be confirmed that the operation of the MMU 14 is normally performed with respect to the page of the execution memory 11 used most recently. For this reason, it is possible to detect the abnormality of the MMU 14 earlier, and it is possible to further improve the reliability.

<Third Embodiment of the Invention>
Next, the safety control device 2 according to the third embodiment of the present invention will be described. FIG. 11 is a block diagram illustrating a configuration example of the safety control device 2 according to the third embodiment. Hereinafter, the description of the same contents as those in Embodiment 1 will be omitted as appropriate.

  The safety control device 2 according to the third embodiment has an OS 200 instead of the OS 100 as compared with the safety control device 1 according to the first embodiment described with reference to FIG. Is different.

  The MMU confirmation application 104 includes an instruction code for causing the processor 10 to execute processing for confirming whether or not the MMU 14 is operating normally by executing the MMU confirmation routine 29. The MMU confirmation application 104 includes an instruction code for causing the processor 10 to execute a result notification to the partition scheduler 21. The MMU confirmation application 104 is a safety related application. The difference between the OS 100 and the OS 200 will be described later.

  Next, the relationship between the partition scheduler 21 and tasks generated by starting up the applications 101 to 104 will be described with reference to FIG. FIG. 12 is a diagram illustrating a relationship between the partition scheduler 21 and the tasks 24, 26, 28, and 32 according to the third embodiment.

  As shown in FIG. 12, the third embodiment has an OS 200 instead of the OS 100, a scheduling table 33 instead of the scheduling table 22, and a task scheduler 31 as compared with the first embodiment. The difference is that it has an MMU confirmation task 32. Further, in the third embodiment, TP4 and RP4 are further defined as compared with the first embodiment. A task scheduler 31 and an MMU confirmation task 32 belong to TP4 and RP4.

  The OS 200 according to the third embodiment is different from the OS 100 according to the first embodiment in that it does not have the MMU confirmation routine 29. That is, the operation check of the MMU 14 is not performed directly by the OS 200. As will be described later, in the third embodiment, the MMU confirmation task 32 operating on the OS 200 executes the MMU confirmation routine 29.

  Similar to the task schedulers 23, 25, and 27, the task scheduler 31 performs scheduling of tasks in the TP4 to which the task scheduler 31 belongs. In FIG. 12, TP4 is illustrated as including only one task, but one or more tasks may be included.

  The MMU confirmation task 32 is a task generated when the MMU confirmation application 104 is activated. In the example of FIG. 12, the MMU confirmation task 32 is assigned to TP4 and RP4. The MMU confirmation task 32 confirms whether or not the MMU 14 is operating normally by executing the MMU confirmation routine 29.

  The scheduling table 33 holds the scheduling pattern shown in FIGS. 13A and 13B. FIG. 13A shows a specific example of the normal control scheduling pattern. In FIG. 13A, the period (T1) of TP2 to which the normal control task 26 belongs, the period (T2) of TP1 to which the safety monitoring task 24 belongs, and the period (T5) of TP4 to which the MMU confirmation task 32 belongs are assigned in one cycle time. It has been. FIG. 13B shows a specific example of the safety control scheduling pattern. In FIG. 13B, in one cycle time, the period (T1) of TP1 to which the safety monitoring task 24 belongs, the period (T2) of TP1 to which the safety monitoring task 24 belongs, and the period (T6) of TP4 to which the MMU confirmation task 32 belongs are assigned. It has been.

  Since the processing procedure in the MMU confirmation routine 29 is the same as the processing described with reference to FIG. 7 in the first embodiment except that the MMU confirmation task 32 executes, the description thereof is omitted. Here, the MMU confirmation task 32 can access only resources allocated to the RP 4 with the authority of the task of the TP 4. In general, the OS 200 prevents a task operating on the OS 200 from accessing a TLB entry in the MMU 14. Therefore, the OS 200 according to the third embodiment has an API function that enables access to the MMU confirmation task 32 for backup, restoration, and search of entry data, and the authority of the task to be inspected ( An API function or the like that enables issuance of access to a page to be inspected by ASID). Then, the MMU confirmation task 32 executes the MMU confirmation routine 29 using each API function.

  Further, when the MMU confirmation task 32 detects an abnormality of the MMU 14 (No in S25, S28), it notifies the partition scheduler 21 of the abnormality as an emergency stop routine. And according to the notification, the partition scheduler 21 switches the scheduling pattern to the safety control scheduling pattern and urgently stops the control target.

  As in the third embodiment described above, a dedicated TP for confirming the operation of the MMU 14 can be defined and the operation of the MMU 14 can be confirmed by a task belonging to the TP.

<Embodiment 4 of the Invention>
Then, the safety control apparatus concerning Embodiment 4 of this invention is demonstrated. Since the configuration of the safety control device according to the fourth embodiment is the same as the configuration of the safety control device according to the first embodiment described with reference to FIG. 1, the description thereof is omitted. Below, the relationship between the partition scheduler 21 and the task generated by the activation of the applications 101 to 103 will be described with reference to FIG. FIG. 14 is a diagram illustrating a relationship between the partition scheduler 21 and the tasks 34 to 36 according to the fourth embodiment. Hereinafter, the description of the same contents as those in Embodiment 1 will be omitted as appropriate.

  As shown in FIG. 14, the fourth embodiment has an OS 200 instead of the OS 100 as compared with the first embodiment, and replaces the safety monitoring task 24, the normal control task 26, and the safety control task 28 with each other. The difference is that a safety monitoring task 34, a normal control task 35, and a safety control task 36 are provided. Each of the safety monitoring task 34, the normal control task 35, and the safety control task 36 is different from the safety monitoring task 24, the normal control task 26, and the safety control task 28 in that it has an MMU confirmation routine 29. .

  The OS 200 according to the fourth embodiment does not have the MMU confirmation routine 29 as compared with the OS 100 according to the third embodiment, as compared with the OS 100 according to the first embodiment. That is, the OS 200 does not directly check the operation of the MMU 14.

  Compared with the safety monitoring task 24 according to the first embodiment, the safety monitoring task 34 according to the fourth embodiment further executes an MMU confirmation routine 29 to determine whether the MMU 14 is operating normally. The point to check is different. Compared with the normal control task 26 according to the first embodiment, the normal control task 35 according to the fourth embodiment further executes an MMU confirmation routine 29 to determine whether the MMU 14 is operating normally. The point to check is different. Compared with the safety control task 28 according to the first embodiment, the safety control task 36 according to the fourth embodiment further executes an MMU confirmation routine 29 to determine whether the MMU 14 is operating normally. The point to check is different.

  The processing procedure in the MMU confirmation routine 29 is the same as the processing described with reference to FIG. 7 in the first embodiment except that each of the safety monitoring task 34, the normal control task 35, and the safety control task 36 is executed. Therefore, the description thereof is omitted. Here, each of the safety monitoring task 34, the normal control task 35, and the safety control task 36 executes the MMU confirmation routine 29 for the page used by the TP to which each belongs. That is, each of the tasks 34 to 36 inspects a page adjacent to a page used by the TP to which each task belongs. With the authority (ASID) of each task 34 to 36, the MMU confirmation routine 29 is executed for the page used by each. Therefore, each task 34 to 36 is the authority (ASID) of each task 34 to 36, is adjacent to the page used by each task 34 to 36, and has access authority to each task 34 to 36. The MMU confirmation routine 29 is executed for the pages to which no is assigned. Here, the method for specifying the pages to be inspected by the tasks 34 to 36 is the same as the method described in the second embodiment, and thus the description thereof is omitted. Further, for the same reason as in the second embodiment, in step S23, only the side adjacent to the page used in the TP to which each task 34 to 36 belongs is accessed from the head and the tail of the page to be inspected. May be.

  The page to be inspected does not have the access authority with the authority (ASID) of each task 34 to 36 even if the setting of the TLB entry is not changed. Therefore, each of the tasks 34 to 36 may execute the MMU confirmation routine 29 without executing the entry backup in S21, the entry setting in S22, and the entry restoration in S24.

  Here, normally, the OS 200 is prevented from accessing the entry of the MMU 14 from a task operating on the OS 200. Therefore, as with the OS 200 according to the third embodiment, the OS 200 according to the fourth embodiment has an API that enables access for backup, restoration, and search of entry data to the tasks 34 to 36. Provide a function. Then, each of the tasks 34 to 36 executes the MMU confirmation routine 29 using the respective API function.

  Further, when each of the tasks 34 to 36 detects an abnormality of the MMU 14 (No in S25, S28), it notifies the partition scheduler 21 of the abnormality as an emergency stop routine. And according to the notification, the partition scheduler 21 switches the scheduling pattern to the safety control scheduling pattern and urgently stops the control target.

  As described above, in the fourth embodiment, the operation of the MMU 14 for each page of the execution memory 11 assigned to the RP corresponding to each TP by the tasks belonging to each TP in each of TP1 to TP3. You can also check.

Another embodiment of the invention.
In the present embodiment, the case where the tasks belonging to each of the TPs are the safety monitoring tasks 24 and 34, the normal control tasks 26 and 35, and the safety control tasks 28 and 36, respectively, is exemplified. Not limited. The present invention is not limited to the safety monitoring task 24, the normal control task 26, and the safety control task 28, and may have a task for executing processing related to control of any other control target.

  For example, you may make it have the tasks 37-39 as shown in FIG. In this case, the safety control device needs to have applications corresponding to the tasks 37 to 39 instead of the applications 101 to 103. However, since this point is obvious, illustration and description are omitted.

  The supervisory control task 37 controls the control target. Specifically, the supervisory control task 37 controls the actuator to be controlled based on command values from the normal control task 38 and the safety control task 39. The normal control task 38 performs control calculation for causing the control target to perform a normal function / operation. Specifically, the normal control task 38 calculates the actuator command value by performing control calculation of the actuator in normal control. The normal control task 38 outputs the calculated command value to the monitoring control task 37. The safety control task 39 performs a control calculation determined to ensure functional safety. Specifically, the safety control task 39 calculates the actuator command value by performing a control calculation of the actuator in the safety control. The safety control task 39 outputs the calculated command value to the monitoring control task 37. The supervisory control task 37 controls the actuator based on the command value output from the normal control task 38 or the safety control task 39.

  Furthermore, the monitoring control task 37 acquires a sensor value from the sensor to be controlled. The monitoring control task 37 outputs the acquired sensor value to the normal control task 38 and the safety control task 39. Each of the normal control task 38 and the safety control task 39 may perform actuator control calculation based on the sensor value output from the monitoring control task 37.

  In addition, for example, tasks 40 to 42 as shown in FIG. 23 may be included. In this case, the safety control device needs to have an application corresponding to the tasks 40 to 42 instead of the applications 101 to 103. However, since this point is obvious, illustration and description are omitted.

  The monitoring task 40 acquires a sensor value from the sensor to be controlled. This sensor includes a posture sensor for detecting the posture of the control target as described above. The example demonstrated here demonstrates the case where it applies to the traveling apparatus which a person can board as a control object. In this case, the monitoring task 40 can detect the movement of the center of gravity by the passenger using the posture sensor. The monitoring task 40 outputs the acquired sensor value to an HMI (Human Machine Interface) task 39.

  Based on the sensor value output from the monitoring task 40, the HMI task 42 performs control calculation of the actuator to be controlled, and calculates a command value for the actuator. The HMI task 42 outputs the calculated command value to the control task 41. The control task 41 controls the actuator based on the command value output from the HMI task 42.

  According to this, it is possible to realize an HMI in which a control target is controlled in accordance with a passenger's operation. For example, it is possible to perform control such that the control object moves back and forth when the passenger moves the center of gravity back and forth, and the control object turns left and right when the passenger moves the center of gravity left and right. The same can be said for the examples described with reference to Embodiments 1 to 4 and FIG. Specifically, the normal control tasks 26 and 35 and the safety control tasks 28 and 36, or the normal control task 38 and the safety control task 39, depending on the sensor values acquired by the safety monitoring tasks 24 and 34 or the monitoring control task 37. However, HMI can be realized by performing similar control. Moreover, according to this Embodiment, it becomes possible to perform control of the controlled object with improved reliability. Therefore, as described above, it is possible to perform control of a controlled object with improved safety by applying a traveling device on which a person can board as a controlled object.

  In addition, as a traveling apparatus, it can also be set as the coaxial two-wheeled vehicle of standing up riding. In this case, the wheel rotates by controlling the actuator. Further, the safety control device itself may be mounted on the control target.

  Furthermore, the present invention is not limited to the above-described embodiments, and various modifications can be made without departing from the gist of the present invention described above.

  In the present embodiment, the case where the OS has TP1 to TP3 is illustrated, but the type and number of TPs are not limited to this. The scheduling pattern is not limited to that exemplified in the present embodiment.

  In the present embodiment, the case where the number of tasks is three is exemplified, but the number of tasks is not limited to this. For example, in the present embodiment, the case where there are three TPs TP1 to TP3 is illustrated, but the number of TPs is set to a number other than three, and each TP has one or more arbitrary numbers of tasks. You may do it.

  In the present embodiment, the case where different access authorities are assigned for each TP (RP) has been illustrated. That is, in the present embodiment, the case where the same access authority is given to tasks belonging to the same TP is exemplified, but the present invention is not limited to this. For example, a different access authority may be given for each task. In this case, the ASID is uniquely defined for each task. In this case, in the second embodiment, the MMU confirmation routine 29 may be executed for the pages used in each of the tasks belonging to the switching destination TP.

  In the present embodiment, the multitask OS adopting time partitioning is exemplified, but the present invention is not limited to this. The present invention can also be applied to a multitasking OS that does not employ time partitioning. In this case, the ASID is uniquely defined for each task.

  In the present embodiment, the case where the management target of the MMU 14 is the execution memory 11 that is a RAM is illustrated, but the present invention is not limited to this. For example, the storage device managed by the MMU may be a ROM. Further, the storage device to be managed by the MMU may be a combination of RAM and ROM.

  Further, interrupts that are not related to the MMU for the processor 10 may be suppressed before the MMU confirmation routine is executed, and the interrupt suppression may be released after the MMU confirmation routine is executed. In this way, it is possible to prevent other processing from being performed while the data at the time of inspection is stored in the TLB entry.

  In this embodiment, the case where the memory protection function is implemented by the MMU is illustrated, but the present invention is not limited to this. For example, a memory protection function may be implemented by an MPU.

1, 2 Safety control device 10 Processor 11 Execution memory 12 I / O port 13 Non-volatile memory 14 MMU
15 Reset circuit 20 Microcontroller 21, 30 Partition scheduler 22, 33 Scheduling table 23, 25, 27, 31 Task scheduler 24, 34 Safety monitoring task 26, 35, 38 Normal control task 28, 36, 39 Safety control task 29 MMU confirmation Routine 32 MMU confirmation task 37 Monitoring control task 40 Monitoring task 41 Control task 42 HMI task 100, 200 Operating system 101 Safety monitoring application 102 Normal control application 103 Safety control application 104 MMU confirmation application

Claims (7)

Memory,
A system program for executing a plurality of tasks each accessing the memory;
A processor for executing the system program;
A memory protection device that detects the access as a memory protection violation when an access to the memory from the processor by the task authority is an access to an area to which the access authority is not granted to the task; ,
The processor executes the system program,
With intentional access to the area of the memory that is not granted access authority to the task with the authority of the task,
Determining whether the memory protection device has detected the memory protection violation by the access;
Information processing device. The information processing apparatus is a control apparatus that controls a control target,
The plurality of tasks include a control-related task that controls the control target and accesses the memory accordingly.
The information processing apparatus according to claim 1. The system program schedules and executes the control related task according to scheduling information indicating scheduling contents of a plurality of time partitions including a control related time partition in which the control related task is executed,
When the system program switches the time partition to the control-related time partition, the system program has an access right to the control-related task adjacent to an area where the access right is granted to the control-related task executed in the control-related time partition. For the region to which is not assigned, the processor performs the determination.
The information processing apparatus according to claim 2. When the memory protection device does not detect the memory protection violation due to the intentional access, the processor determines that the memory protection device is abnormal and executes processing according to the abnormality.
The information processing apparatus according to any one of claims 1 to 3. The processor accesses data of a predetermined size at least one of the beginning and end of the memory area;
The information processing apparatus according to any one of claims 1 to 4. The memory protection device is an MMU (Memory Management Unit) or MPU (Memory Protection Unit).
The information processing apparatus according to any one of claims 1 to 5. When the access to the memory by the authority of the task from a processor that executes a system program that executes a plurality of tasks each accessing a memory is an access to an area to which the access authority is not granted to the task, An operation check method of a memory protection device for detecting the access as a memory protection violation,
The processor intentionally accessing an area of the memory that is not authorized to access the task with the authority of the task;
The processor determines whether the memory protection device has detected the memory protection violation by the access; and
A method for confirming the operation of a memory protection device comprising:

Images